Rootkit removal

Fixes for two common ‘pseudo’ rootkits (they hide malware but not themselves.) Frequently flagged by avast! as Win32:Trojan-gen. {Other}

msdirectx.sys

http://forum.avast.com/index.php?topic=14618.msg142666#msg142666

rdriv.sys

http://forum.avast.com/index.php?topic=16788.msg142660#msg142660

Thanks to noahdfear

Could we make this a sticky?

I second the make this a sticky, or have it included in an existing sticky if suitable as the rootkit hiding malware is now well established and not a concept.

Hi ye all,

Yes, there are loads of postings all coming down to the topic of this one sticky. Why not refer to this one for postings on: WIN32:TROJAN-GEN (OTHER).

polonus

Yestoday I got that virus with name xpjava.exe in the userinit section.

I sended it to avast.
I removed by resetting attributes and renaming of file.

After reboot computer was clean, and I was able to delete that renamed file. :wink:


Thanks to AVAST that has operation blocker that was very usefull to find what program was creatin “msdirectx.sys”.

Which operation blocker?
Do you mean a behavior blocker or just that avast! detect the virus on-access and did not allow it to run?

“behavior blocker” block on Open, Write, Delete,Format,Create operations

Here one article about protection from those Rbots
http://www.networkworld.com/newsletters/bug/2005/0926bug2.html

:slight_smile: For CREDIBLE rootkit detection, use the FREE Rootkit
Revealer from www.sysinternals.com . If a scan shows
anything, go to the forum(s) of your antispyware
provider and seek assistance . Before using that program,
make sure you have just deleted your Temporary
Internet Files.